What is the primary objective of AS9120B?

AS9120B's primary objective is to establish a quality management system (QMS) for organizations that procure, store, split, and resell aerospace parts without altering product characteristics. Built on ISO 9001:2015's 10-clause structure, it adds over 100 aerospace-specific requirements addressing distribution risks like loss of traceability, counterfeit/suspected unapproved parts, documentation errors, and inventory mix-ups. Key focuses include chain-of-custody controls (Clauses 8.5.2, 8.1.4/5), external provider evaluation (Clause 8.4), configuration management, and product safety awareness to ensure conformity from receipt to delivery.

Who is legally or professionally required to comply with AS9120B?

AS9120B applies to stockist distributors, pass-through distributors, and organizations performing batch splitting of aviation, space, and defense (ASD) parts without modifying characteristics. It targets those procuring, storing, and reselling into OEM/Tier 1 supply chains. Certification is not legally mandatory but is a commercial requirement from primes/OEMs for market access and OASIS listing. As of 2026, over 2,400 global certifications underscore its de facto necessity; excludes value-added modifiers or MRO entities.

Oes AS9120B require an external audit or third-party certification?

Yes, AS9120B requires third-party certification through accredited registrars via Stage 1 (documentation) and Stage 2 (implementation) audits per AS9101F, followed by annual surveillance and triennial recertification. Certification bodies operate under IAQG oversight, listing approved distributors in the OASIS database for supply chain visibility. Internal audits (Clause 9.2) support readiness, but external validation confirms QMS effectiveness against all clauses.

How often should an assessment for AS9120B be performed?

AS9120B requires internal audits at planned intervals to cover the full QMS annually (Clause 9.2), with management reviews at defined intervals (typically quarterly or semi-annually, Clause 9.3). Assessments include monitoring/measurement (Clause 9.1), customer satisfaction trending, and risk/opportunity effectiveness evaluation. Surveillance audits occur yearly post-certification, with full recertification every three years. Frequency adjusts based on risks, nonconformities, and performance data.

What are the consequences of non-compliance with AS9120B?

Non-compliance with AS9120B risks contract disqualification by OEMs/primes, exclusion from OASIS, supply chain debarment, and liabilities from nonconforming parts like recalls or safety incidents. Lacks legal penalties but incurs commercial losses, audit findings leading to certification suspension, reputational damage, and operational disruptions (e.g., traceability failures enabling counterfeit infiltration). Major nonconformities in traceability (8.5.2) or counterfeit controls (8.1.4) trigger corrective actions and potential market exclusion.

An AS9120B be mapped to other international frameworks?

Yes, AS9120B directly aligns with ISO 9001:2015's high-level structure, enabling seamless mapping of its 10 clauses. Aerospace additions (e.g., counterfeit prevention, traceability) build on ISO baseline without conflict, facilitating integrated QMS. Clause-by-clause comparisons show full ISO conformance plus distributor enhancements; supports transitions from AS9120A via "not applicable" justifications (e.g., Clause 8.3 design).

What is the first step to begin implementing AS9120B?

The first step is conducting a gap analysis against AS9120B clauses using a certified checklist to identify deficiencies in context (Clause 4), risks (Clause 6), and operations (Clause 8). Form a cross-functional team, document scope/applicability (Clause 4.3), and prioritize high-risk areas like supplier controls (8.4) and traceability (8.5.2). Appoint a Management Representative (Clause 5.3) and produce a risk register to inform the implementation plan.

What is the primary objective of GDPR UK?

The primary objective of UK GDPR is to protect the fundamental rights and freedoms of individuals in relation to personal data processing through enforceable principles and accountability. It mandates seven core principles under **Article 5lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability, requiring controllers to demonstrate compliance.

Who is legally or professionally required to comply with GDPR UK?

UK GDPR applies to controllers and processors established in the UK, and extraterritorially to non-UK entities offering goods/services to or monitoring behaviour of UK individuals. This includes public/private organisations processing personal data, with controllers bearing primary responsibility for lawfulness and rights, while processors must adhere to security, contracts, and assistance obligations under Article 28.

Does GDPR UK require an external audit or third-party certification?

UK GDPR does not mandate external audits or third-party certification. Compliance relies on the accountability principle (Article 5(2)), demonstrated through internal records of processing activities (Article 30), DPIAs, processor contracts, and security testing; the ICO may require evidence during investigations.

How often should an assessment for GDPR UK be performed?

UK GDPR requires ongoing assessments, with Records of Processing Activities (RoPA) maintained continuously and reviewed regularly. DPIAs must be conducted for high-risk processing and updated as needed; security measures require regular testing and evaluation (Article 32), typically annually or upon material changes.

What are the consequences of non-compliance with GDPR UK?

Non-compliance with UK GDPR can result in fines up to the higher of £17.5 million or 4% of global annual turnover for serious infringements. The ICO applies a structured five-step fining process per its 2024 Data Protection Fining Guidance, targeting undertakings (including groups), plus enforcement notices, processing bans (Article 58), and data subject compensation claims.

Can GDPR UK be mapped to other international frameworks?

UK GDPR's core principles and structure align closely with EU GDPR, enabling direct mapping of controls like principles, rights, and DPIAs. However, post-Brexit differences in regulatory jurisdiction (ICO vs. EDPB), transfers (IDTA required), and UK-specific laws (e.g., Data (Use and Access) Act 2025) necessitate adjustments.

What is the first step to begin implementing GDPR UK?

The first step to implement UK GDPR is to create a comprehensive Record of Processing Activities (RoPA) under Article 30. This maps processing purposes, lawful bases, data flows, processors, transfers, retention, and safeguards, establishing the accountability foundation for DPIAs, rights handling, and vendor governance.

Standards Comparison

AS9120B vs GDPR UK

AS9120B

Mandatory

2016

Aerospace standard for distributor quality management systems

GDPR UK

Mandatory

2016

UK regulation for personal data protection and privacy.

Quick Verdict

AS9120B ensures quality management for aerospace distributors via certification, while GDPR UK mandates personal data protection for all UK-handling organizations with hefty fines. Distributors adopt AS9120B for supply chain access; all adopt GDPR UK to avoid legal penalties.

Quality Management

AS9120B

AS9120B Quality Management Systems – Requirements for Distributors

Cost

€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Counterfeit and suspected unapproved parts prevention
Enhanced traceability for split lots and chain-of-custody
Risk-based external provider evaluation and flowdown controls
Configuration management via sales order traceability
Product preservation and shelf-life controls in distribution

Data Privacy

GDPR UK

UK General Data Protection Regulation (UK GDPR)

Cost

€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Seven enforceable data processing principles
Comprehensive individual data subject rights
Accountability requiring demonstrable compliance
Mandatory DPIAs for high-risk processing
72-hour ICO breach notification rule

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

AS9120B Details

What It Is

AS9120B is the IAQG quality management system standard for aerospace distributors, based on ISO 9001:2015's 10-clause structure. It applies to organizations procuring, storing, splitting, and reselling parts without alteration, using a risk-based approach to address distribution risks like traceability loss and counterfeits.

Key Components

Over 100 aerospace-specific requirements beyond ISO 9001.
Pillars: context analysis, leadership, planning, support, operations (traceability, counterfeit prevention, provider controls), evaluation, improvement.
Built on PDCA cycle; requires documented information, not full manual.
Certification via accredited bodies, OASIS listing.

Why Organizations Use It

Commercial necessity for OEM/Tier-1 supply chains.
Mitigates risks of nonconformities, counterfeits, recalls.
Builds customer trust, enables market access (over 2,400 global certifications).
Drives efficiency, reduces errors in chain-of-custody.

Implementation Overview

Phased: gap analysis, process design, training, audits (6-12 months).
For distributors any size; focuses on operational controls.
Involves supplier registers, traceability systems, internal audits.

GDPR UK Details

What It Is

UK General Data Protection Regulation (UK GDPR) is the UK's post-Brexit adaptation of EU GDPR, a binding legal regulation enforced by the ICO. It governs personal data processing to protect individuals' rights and freedoms. Key approach: risk-based accountability with seven core principles.

Key Components

Seven principles: lawfulness, fairness, purpose limitation, minimisation, accuracy, storage limitation, integrity/confidentiality, accountability.
Data subject rights: access, rectification, erasure, portability, objection.
Obligations: RoPAs, DPIAs, processor contracts, breach notifications.
Compliance model: demonstrable via documentation; fines up to 4% global turnover.

Why Organizations Use It

Mandatory compliance avoids ICO fines (£17.5m max).
Manages enterprise risks, builds stakeholder trust.
Enables secure data use, operational efficiency, competitive edge in privacy.

Implementation Overview

Phased: discovery/RoPA, policies/contracts, training, DPIAs, audits.
Applies to UK-established orgs and extraterritorial targeting; all sizes/industries.
No certification; ongoing ICO enforcement, self-attestation.

Key Differences

Aspect	AS9120B	GDPR UK
Scope	Aerospace parts distribution QMS	Personal data protection principles
Industry	Aerospace distributors globally	All sectors handling UK personal data
Nature	Voluntary certification standard	Mandatory legal regulation
Testing	IAQG certification audits	Internal audits, ICO enforcement
Penalties	Loss of certification	Fines up to 4% global turnover

Scope

AS9120B

Aerospace parts distribution QMS

GDPR UK

Personal data protection principles

Industry

AS9120B

Aerospace distributors globally

GDPR UK

All sectors handling UK personal data

Nature

AS9120B

Voluntary certification standard

GDPR UK

Mandatory legal regulation

Testing

AS9120B

IAQG certification audits

GDPR UK

Internal audits, ICO enforcement

Penalties

AS9120B

Loss of certification

GDPR UK

Fines up to 4% global turnover

Frequently Asked Questions

Common questions about AS9120B and GDPR UK

AS9120B FAQ

GDPR UK FAQ

You Might also be Interested in These Articles...

Unpacking the True Cost: A Guide to Calculating TCO for Modern Compliance Monitoring Software

Unpack the true Total Cost of Ownership (TCO) for compliance monitoring software. Factor in licenses, implementation, training, maintenance, and ROI savings for

Top 10 Cost-Saving Hacks for CMMC Compliance: Budgeting Blueprints for Small DIB Suppliers

Slash CMMC costs 30-50% with top 10 hacks for small DIB suppliers. Enclave scoping, FedRAMP clouds, automation, POA&M tips & budgeting blueprints for Level 2 co

Beyond the Burden: How Intuitive Compliance Software Transforms Daily Workflows

Explore intuitive compliance software that automates workflows, simplifies onboarding, and reduces stress. Cut non-compliance costs 3x and boost efficiency for

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how AS9120B and GDPR UK compare against other standards

Other AS9120B Comparisons

Other GDPR UK Comparisons

What It Is

Key Components

Over 100 aerospace-specific requirements beyond ISO 9001.

Pillars: context analysis, leadership, planning, support, operations (traceability, counterfeit prevention, provider controls), evaluation, improvement.

Built on PDCA cycle; requires documented information, not full manual.

Certification via accredited bodies, OASIS listing.

Key Components

Seven principles: lawfulness, fairness, purpose limitation, minimisation, accuracy, storage limitation, integrity/confidentiality, accountability.

Data subject rights: access, rectification, erasure, portability, objection.

Obligations: RoPAs, DPIAs, processor contracts, breach notifications.

Compliance model: demonstrable via documentation; fines up to 4% global turnover.

Aspect

AS9120B

GDPR UK

Scope

Aerospace parts distribution QMS

Personal data protection principles

Industry

Aerospace distributors globally

All sectors handling UK personal data

Nature

Voluntary certification standard

Mandatory legal regulation

Testing

IAQG certification audits

Internal audits, ICO enforcement

Penalties

Loss of certification

Fines up to 4% global turnover